Basic Virtual Private Network Deployment

Why deploy a Virtual Private Network? It is important to first understand
the needs of your environment and then decide whether tunneling will fulfill
those needs. This chapter also covers many common attacks that occur over networks
to help you understand why it is important to protect your servers. Finally,
it covers basic tunnel network designs.

From the author of

From the author of

Before discussing the features of Windows 2000 tunneling technology, it is
important to establish the terminology that one should be familiar with. The
terminology is not specific to Windows 2000 and can be applied to almost any
VPN-related product. After defining the terminology this book uses, this chapter
discusses one all-important question: Why deploy a Virtual Private Network?
It is important to first understand the needs of your environment and then decide
whether tunneling will fulfill those needs. This chapter also covers many common
attacks that occur over networks to help you understand why it is important
to protect your servers. Finally, it covers basic tunnel network designs.

Terminology

The first step is to define some VPN terminology. You should be familiar with
the following terms:

VPN server (also known as a tunnel server). A computer that
accepts VPN connections from VPN clients. A VPN server can provide remote access
VPN connections or a router-to-router (site-to-site) VPN connection. It is the
VPN server that is connected to the public network. This book primarily refers
to Windows 2000 as the tunnel server, but there are many other types of tunnel
servers.

VPN client (also known as a tunnel client.) A computer that
initiates a VPN connection to a VPN server. A VPN client can be an individual
computer that obtains a remote access VPN connection or a router that obtains a
router-to-router VPN connection. This book primarily covers Windows 2000,
Windows 98, and Windows NT 4 as VPN clients.

Tunnel. The logical link between the tunnel client and the tunnel
server. This link is where the data is encrypted and encapsulated. It is
possible to create a tunnel and send the data through the tunnel without
encryption, but that is not a recommended VPN connection type because the data
being sent can be intercepted and read.

Edge server. This tunnel server is the outermost server on the
company's private network. Typically, anything "behind" this
server (on the corporate network) is "open frame" traffic and can be
readily intercepted. If frames are captured on the private network, the security
of the traffic is compromised, even though the network is using a tunnel to the
edge server. This scenario does not, therefore, have end-to-end security. An
edge server can be a firewall, or it can be a specific system that does nothing
but handle tunnel traffic.

End-to-end security. A path that is encrypted from the client all
the way to the actual destination server has end-to-end security. Because the
technology needed for a practical implementation of end-to-end security has just
been released, most designs currently use a specific tunnel server on the edge
of the corporate network. If you have complete security, it will not matter if
frames are captured anywhere in the path because they maintain their encryption
at all points in their journey. At this time, most designs use a specific tunnel
server on the edge of the corporate network and have encryption only between the
client and the tunnel server.

Voluntary tunnel. A user or client computer can issue a VPN
request to configure and create a voluntary tunnel. In this case, the
user's computer is a tunnel endpoint and acts as the tunnel client. The
client must have the appropriate tunnel protocol installed. Many network designs
require this because the corporate networks do not generally control home LANs,
and having the tunnel clients as the actual endpoints reduces the potential
security risks.

Compulsory tunnel. A tunnel configured and created by a
VPN-capable dial-up access server. With a compulsory tunnel, the user's
computer is not a tunnel endpoint. Another device, the remote access server,
between the user's computer and the tunnel server is the tunnel endpoint,
which acts as the tunnel client. This configuration allows multiple clients on
the branch office or home LAN to use the tunnel concurrently. It is possible to
share a single tunnel to multiple computers.